ebook img

Common Sense Guide to Prevention and Detection of Insider Threats PDF

88 Pages·2008·0.37 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Common Sense Guide to Prevention and Detection of Insider Threats

Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – September 2008 Carnegie Mellon University CyLab Authors Dawn Cappelli Andrew Moore Randall Trzeciak Timothy J. Shimeall Copyright 2008 Carnegie Mellon University FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE Copyright 2008 Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be directed to [email protected]. 2 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE Table of Contents INTRODUCTION ........................................................................................................................................ 4 WHAT IS MEANT BY "INSIDER THREAT?" ................................................................................................... 5 CERT’S DEFINITION OF A MALICIOUS INSIDER ........................................................................................... 5 ARE INSIDERS REALLY A THREAT? .............................................................................................................. 6 WHO SHOULD READ THIS REPORT? ............................................................................................................. 8 CAN INSIDERS BE STOPPED? ........................................................................................................................ 8 ACKNOWLEDGEMENTS ......................................................................................................................... 9 PATTERNS AND TRENDS OBSERVED BY TYPE OF MALICIOUS INSIDER ACTIVITY .........11 INSIDER IT SABOTAGE ...............................................................................................................................15 THEFT OR MODIFICATION FOR FINANCIAL GAIN .......................................................................................18 THEFT OF INFORMATION FOR BUSINESS ADVANTAGE ...............................................................................21 SUMMARY .................................................................................................................................................24 BEST PRACTICES FOR THE PREVENTION AND DETECTION OF INSIDER THREATS ........27 SUMMARY OF PRACTICES ..........................................................................................................................27 PRACTICE 1: CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK ASSESSMENTS. (UPDATED) .....................................................................................................................32 PRACTICE 2: CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS. (NEW) .......36 PRACTICE 3: INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES. (UPDATED) .39 PRACTICE 4: MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS. (UPDATED) .................................................................................................................43 PRACTICE 5: ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES (NEW) .......................................47 PRACTICE 6: TRACK AND SECURE THE PHYSICAL ENVIRONMENT (NEW) ..................................................49 PRACTICE 7: IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES. (UPDATED) .............................................................................................................................................52 PRACTICE 8: ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE. (UPDATED) ...............................55 PRACTICE 9: CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE (NEW) ............59 PRACTICE 10: USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS. (UPDATED) .................................................................................................................................63 PRACTICE 11: IMPLEMENT SYSTEM CHANGE CONTROLS. (UPDATED) .....................................................66 PRACTICE 12: LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS. (UPDATED) .............................70 PRACTICE 13: USE LAYERED DEFENSE AGAINST REMOTE ATTACKS. (UPDATED) ....................................74 PRACTICE 14: DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION. (UPDATED) .......................77 PRACTICE 15: IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES. (UPDATED) ...........................81 PRACTICE 16: DEVELOP AN INSIDER INCIDENT RESPONSE PLAN. (NEW) .................................................85 REFERENCES/SOURCES OF BEST PRACTICES ...............................................................................87 3 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE INTRODUCTION In 2005, the first version of the Common Sense Guide to Prevention and Detection of Insider Threats was published by Carnegie Mellon University’s CyLab. The document was based on the insider threat research performed by CERT, primarily the Insider Threat Study1 conducted jointly with the U.S. Secret Service. It contained a description of twelve practices that would have been effective in preventing or detecting malicious insider activity in 150 actual cases collected as part of the study. The 150 cases occurred in critical infrastructure sectors in the U.S. between 1996 and 2002. A second edition of the guide was released in July of 2006. The second edition included a new type of analysis – by type of malicious insider activity. It also included a new section that presented a high-level picture of different types of insider threats: fraud, theft of confidential or proprietary information, and sabotage. also In addition, it contained new and updated practices based on new CERT insider threat research funded by Carnegie Mellon CyLab2 and the U.S. Department of Defense Personnel Security Research Center.3 Those projects involved a new type of analysis of the insider threat problem focused on determining high-level patterns and trends in the cases. Specifically, those projects examined the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time. This third edition of the Common Sense Guide once again reflects new insights from ongoing research at CERT. CyLab has funded the CERT Insider Threat Team to collect and analyze new insider threat cases on an ongoing basis. The purpose of this ongoing effort is to maintain a current state of awareness of the methods being used by insiders to commit their attacks, as well as new organizational issues influencing them to attack. This version of the guide includes new and updated practices based on an analysis of approximately 100 recent insider threat cases that occurred from 2003 to 2007 in the U.S. In this edition of the guide, CERT researchers also present new findings derived from looking at insider crimes in a new way. These findings are based on CERT’s analysis of 118 theft and fraud cases, which revealed a surprising finding. The intent of the research was to analyze cases of insider theft and insider fraud to identify patterns of insider behavior, organizational events or conditions, and technical issues across the cases. The patterns identified separated the crimes into two different classes than originally expected: • Theft or modification of information for financial gain – This class includes cases where insiders used their access to organization systems either to steal 1 See http://www.cert.org/insider_threat/study.html for more information on the Insider Threat Study. 2 A report describing the MERIT model of insider IT Sabotage, funded by CyLab, can be downloaded at http://www.cert.org/archive/pdf/08tr009.pdf. 3 A report describing CERT’s insider threat research with the Department of Defense can be downloaded from http://www.cert.org/archive/pdf/06tr026.pdf. 4 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE information that they sold to outsiders, or to modify information for financial gain for themselves or others. • Theft of information for business advantage - This class includes cases where insiders used their access to organization systems to obtain information that they used for their own personal business advantage, such as obtaining a new job or starting their own business. It is important that organizations recognize the differences in the types of employees who commit each type of crime, as well as how each type of incident evolves over time: theft or modification for financial gain, theft for business advantage, IT sabotage, and miscellaneous (incidents that do not fall into any of the three above categories). This version of the guide presents patterns and trends observed in each type of malicious activity. There have been minor updates to the IT sabotage information in this guide; however, the most significant enhancements in this edition were made to the theft and modification sections. Some new practices were added in this edition that did not exist in the second edition. In addition, every practice from the second edition has been modified—some significantly, others to a lesser degree—to reflect new insights from the past year’s research at CERT. Case examples from the second edition were retained in this edition for the benefit of new readers. However, a Recent Findings section was included for all updated practices. It details recent cases that highlight new issues not covered in the previous edition of this guide. What is Meant by "Insider Threat?" CERT’s definition of a malicious insider is A current or former employee, contractor, or business partner who • has or had authorized access to an organization’s network, system, or data and • intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems 5 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE Note that one type of insider threat is excluded from this guide: cases of espionage involving classified national security information. The scope of insider threats has been expanding beyond the traditional threat posed by a current of former employee. Specifically, the CERT team has noted the following important new issues in the expanding scope of insider threat. Collusion with outsiders: Insider threat has expanded beyond the organizational boundary. Half of the insiders who stole or modified information for financial gain were actually recruited by outsiders, including organized crime and foreign organizations or governments. It is important to pay close attention to the section of the guide titled “Theft or Modification of Information for Financial Gain” It will help you understand the types of employees who may be susceptible to recruitment. Business partners: A recent trend noted by the CERT research team is the increase in the number of insider crimes perpetrated not by employees, but by employees of trusted business partners who have been given authorized access to their clients’ networks, systems, and data. Suggestions for countering this threat are presented in Practice 1. Mergers and acquisitions: A recent concern voiced to the CERT team by industry is the heightened risk of insider threat in organizations being acquired by another organization. It is important that organizations recognize the increased risk of insider threat both within the acquiring organization, and in the organization being acquired, as employees endure stress and an uncertain organizational climate. Readers involved in an acquisition should pay particular attention to most of the practices in this guide. Cultural differences: Many of the patterns of behavior observed in CERT’s insider threat modeling work are reflected throughout this guide. However, it is important for readers to understand that cultural issues could influence employee behaviors; those same behavioral patterns might not be exhibited in the same manner by people who were raised or spent extensive time outside of the U.S. Issues outside the U.S: CERT’s insider threat research is based on cases that occurred inside the United States. It is important for U.S. companies operating branches outside the U.S. to understand that, in addition to the cultural differences influencing employee behavior, portions of this guide might also need to be tailored to legal and policy differences in other countries. Are insiders really a threat? The threat of attack from insiders is real and substantial. The 2007 E-Crime Watch SurveyTM conducted by the United States Secret Service, the CERT® Coordination Center (CERT/CC), Microsoft, and CSO Magazine,4 found that in cases where respondents could identify the perpetrator of an electronic crime, 31% were committed by insiders. In 4 http://www.cert.org/archive/pdf/ecrimesummary07.pdf 6 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE addition, 49% of respondents experienced at least one malicious, deliberate insider incident in the previous year. The impact from insider attacks can be devastating. One employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor in hopes of obtaining a new job with them. Over the past several years, Carnegie Mellon University has been conducting a variety of research projects on insider threat. One of the conclusions reached is that insider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. Examples of these acts include the following: • “Low-tech” attacks, such as modifying or stealing confidential or sensitive information for personal gain. • Theft of trade secrets or customer information to be used for business advantage or to give to a foreign government or organization. • Technically sophisticated crimes that sabotage the organization’s data, systems, or network. Damages in many of these crimes are not only financial—widespread public reporting of the event can also severely damage the organization’s reputation. Insiders have a significant advantage over others who might want to harm an organization. Insiders can bypass physical and technical security measures designed to prevent unauthorized access. Mechanisms such as firewalls, intrusion detection systems, and electronic building access systems are implemented primarily to defend against external threats. However, not only are insiders aware of the policies, procedures, and technology used in their organizations, but they are often also aware of their vulnerabilities, such as loosely enforced policies and procedures or exploitable technical flaws in networks or systems. CERT’s research indicates that use of many widely accepted best practices for information security could have prevented many of the insider attacks examined. Part of CERT’s research of insider threat cases entailed an examination of how each organization could have prevented the attack or at the very least detected it earlier. Previous editions of the Common Sense Guide identified existing best practices critical to the mitigation of the risks posed by malicious insiders. This edition identifies additional best practices based on new methods and contextual factors in recent cases, and also presents some new suggestions for countering insider threat based on findings that could not be linked to established best practices. Based on our research to date, the practices outlined in this report are the most important for mitigating insider threats. 7 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE Who should read this report? This guide is written for a diverse audience. Decision makers across an organization can benefit from reading it. Insider threats are influenced by a combination of technical, behavioral, and organizational issues, and must be addressed by policies, procedures, and technologies. Therefore, it is important that management, human resources, information technology, software engineering, legal, security staff, and the “owners” of critical data understand the overall scope of the problem and communicate it to all employees in the organization. The guide outlines practices that should be implemented throughout organizations to prevent insider threats. It briefly describes each practice, explains why it should be implemented, and provides one or more actual case examples illustrating what could happen if it is not, as well as how the practice could have prevented an attack or facilitated early detection. Much has been written about the implementation of these practices (a list of references on this topic is provided at the end of this guide). This report provides a synopsis of those practices, and is intended to convince the reader that someone in the organization should be given responsibility for reviewing existing organizational policies, processes, and technical controls and for recommending necessary additions or modifications. Can insiders be stopped? Insiders can be stopped, but stopping them is a complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. It must look beyond information technology to the organization’s overall business processes and the interplay between those processes and the technologies used. 8 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE Acknowledgements In sponsoring the Insider Threat Study, the U.S. Secret Service provided more than just funding for CERT’s research. The joint study team, composed of CERT information security experts and behavioral psychologists from the Secret Service’s National Threat Assessment Center, defined the research methodology and conducted the research that has provided the foundation for all of CERT’s subsequent insider threat research. The community as a whole owes a debt of gratitude to the Secret Service for sponsoring and collaborating on the original study, and for permitting CERT to continue to rely on the valuable casefiles from that study for ongoing research. Specifically, CERT would like to thank Dr. Marisa Reddy Randazzo, Dr. Michelle Keeney, Eileen Kowalski, and Matt Doherty from the National Threat Assessment Center, and Cornelius Tate, David Iacovetti, Wayne Peterson, and Tom Dover, our liaisons with the Secret Service during the study. The authors would also like to thank the CERT members of the Insider Threat Study team, who reviewed and coded cases, conducted interviews, and assisted in writing the study reports: Christopher Bateman, Casey Dunlevy, Tom Longstaff, David Mundie, Stephanie Rogers, Timothy Shimeall, Bradford Willke, and Mark Zajicek. Since the Insider Threat Study, the CERT team has been fortunate to work with psychologists who have contributed their vast experience and new ideas to our work: Dr. Eric Shaw, a Visiting Scientist on the CERT Insider Threat team who has contributed to most of the CERT insider threat projects, Dr. Steven Band, former Chief of the FBI Behavioral Sciences Unit, who has provided expertise on psychological issues, and Dr. Lynn Fischer from the Department of Defense Personnel Security Research Center, who sponsored CERT’s initial insider threat research and has continued to work with the CERT team on various insider threat projects. The CERT team is extremely appreciative of the ongoing funding provided by CyLab. The impact of the insider threat research sponsored by CyLab has been enormous, within industry and government, and inside the U.S. as well as globally. CyLab has provided key funding that has enabled the CERT team to perform research for the benefit of all: government and industry, technical staff as well as management. Specifically, we would like to thank Pradeep Khosla, Don McGillen, and Linda Whipkey, who have been advocates for CERT’s insider threat research since its inception, as well as Richard Power, Gene Hambrick, Virgil Gligor, and Adrian Perig, who the CERT team has had the pleasure of working with over the past year. The CERT team has had assistance from various CyLab graduate students over the past few years. These students enthusiastically joined the team and devoted their precious time to the CERT insider threat projects: Akash Desai, Hannah Benjamin-Joseph, Christopher Nguyen, Adam Cummings, and Tom Carron. Special thanks to Tom, who is a current member of the CERT/CyLab insider threat team, and who willingly dropped everything he was doing over and over again to search the database for specific examples we needed to make this report as compelling as possible. 9 FOR CYLAB MEMBERS ONLY – DO NOT DISTRIBUTE The Secret Service provided the 150 original casefiles for CERT’s insider threat research. CyLab’s research required identification and collection of additional case materials. The CERT team gratefully acknowledges the hard work and long hours, including many weekends, spent by Sheila Rosenthal, SEI’s Manager of Library Services, assisting with this effort. Sheila was instrumental in obtaining the richest source materials available for more than 100 new cases used in the team’s CyLab-sponsored research. Finally, CERT would like to thank all of the organizations, prosecutors, investigators, and convicted insiders who agreed to provide confidential information to the team to enhance the research. It is essential to the community that all of the “good guys” band together and share information so that together we can keep employees happy, correct problems before they escalate, and use our technical resources and business processes to prevent malicious insider activity or detect the precursors to a devastating attack. 10

Description:
Insider Threats was published by Carnegie Mellon University's CyLab. the CERT insider threat projects: Akash Desai, Hannah Benjamin-Joseph,.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.